diff --git a/.gitallowed b/.gitallowed new file mode 100644 index 0000000..bb5927a --- /dev/null +++ b/.gitallowed @@ -0,0 +1,3 @@ +id-token: write +password: \${{secrets\.GITHUB_TOKEN}} +\.gitallowed diff --git a/.github/config/settings.yml b/.github/config/settings.yml new file mode 100644 index 0000000..05dbcda --- /dev/null +++ b/.github/config/settings.yml @@ -0,0 +1 @@ +TAG_FORMAT: "v${version}" diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..4a87436 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,46 @@ +######################################################################### +# Dependabot configuration file +######################################################################### + +version: 2 + +updates: + - package-ecosystem: "github-actions" + # Workflow files stored in the + # default location of `.github/workflows` + directory: "/" + schedule: + interval: "weekly" + day: "friday" + time: "18:00" # UTC + open-pull-requests-limit: 20 + commit-message: + prefix: "Upgrade: [dependabot] - " + + ################################### + # NPM workspace ################## + ################################### + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + day: "friday" + time: "18:00" + open-pull-requests-limit: 20 + versioning-strategy: increase + commit-message: + prefix: "Upgrade: [dependabot] - " + + ################################### + # Poetry ######################### + ################################### + - package-ecosystem: "pip" + directory: "/" + schedule: + interval: "weekly" + day: "friday" + time: "18:00" + open-pull-requests-limit: 20 + versioning-strategy: increase + commit-message: + prefix: "Upgrade: [dependabot] - " diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..203df63 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,59 @@ +## Summary + +**Remove items from this list if they are not relevant. Remove this line once this has been done** + +- Routine Change +- :exclamation: Breaking Change +- :robot: Operational or Infrastructure Change +- :sparkles: New Feature +- :warning: Potential issues that might be caused by this change + +### Details + +Add any summary information of what is in the change. **Remove this line if you have nothing to add.** + +## Pull Request Naming + +Pull requests should be named using the following format: + +```text +Tag: [AEA-NNNN] - Short description +``` + +Tag can be one of: + +- `Fix` - for a bug fix. (Patch release) +- `Update` - either for a backwards-compatible enhancement or for a rule change that adds reported problems. (Patch release) +- `New` - implemented a new feature. (Minor release) +- `Breaking` - for a backwards-incompatible enhancement or feature. (Major release) +- `Docs` - changes to documentation only. (Patch release) +- `Build` - changes to build process only. (No release) +- `Upgrade` - for a dependency upgrade. (Patch release) +- `Chore` - for refactoring, adding tests, etc. (anything that isn't user-facing). (Patch release) + +If the current release is x.y.z then +- a patch release increases z by 1 +- a minor release increases y by 1 +- a major release increases x by 1 + +Correct tagging is necessary for our automated versioning and release process. + +The description of your pull request will be used as the commit message for the merge, and also be included in the changelog. Please ensure that your title is sufficiently descriptive. + +### Rerunning Checks + +If you need to rename your pull request, you can restart the checks by either: + +- Closing and reopening the pull request +- pushing an empty commit + ```bash + git commit --allow-empty -m 'trigger build' + git push + ``` +- Amend your last commit and force push to the branch + ```bash + git commit --amend --no-edit + git push --force + ``` + +Rerunning the checks from within the pull request will not use the updated title. diff --git a/.github/workflows/build_all_images.yml b/.github/workflows/build_all_images.yml new file mode 100644 index 0000000..2cde7f1 --- /dev/null +++ b/.github/workflows/build_all_images.yml @@ -0,0 +1,63 @@ +name: build_all_images +'on': + workflow_call: + inputs: + docker_tag: + required: true + type: string + tag_latest: + required: true + type: boolean +env: + BRANCH_NAME: '${{ github.event.pull_request.head.ref }}' +jobs: + discover_folders: + runs-on: ubuntu-latest + outputs: + language_folders: ${{ steps.find-folders.outputs.languages }} + project_folders: ${{ steps.find-folders.outputs.projects }} + steps: + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + + - id: find-folders + run: | + language_folders=$(find src/languages -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]') + project_folders=$(find src/projects -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]') + echo "languages=$language_folders" >> "$GITHUB_OUTPUT" + echo "projects=$project_folders" >> "$GITHUB_OUTPUT" + package_base_docker_image: + uses: ./.github/workflows/build_multi_arch_image.yml + with: + tag_latest: ${{ inputs.tag_latest }} + docker_tag: ${{ inputs.docker_tag }} + container_name: base + base_folder: "." + package_language_docker_images: + needs: + - package_base_docker_image + - discover_folders + strategy: + fail-fast: false + matrix: + container_name: ${{ fromJson(needs.discover_folders.outputs.language_folders) }} + uses: ./.github/workflows/build_multi_arch_image.yml + with: + tag_latest: ${{ inputs.tag_latest }} + docker_tag: ${{ inputs.docker_tag }} + container_name: ${{ matrix.container_name }} + base_folder: "languages" + package_project_docker_images: + needs: + - package_language_docker_images + + - discover_folders + strategy: + fail-fast: false + matrix: + container_name: ${{ fromJson(needs.discover_folders.outputs.project_folders) }} + uses: ./.github/workflows/build_multi_arch_image.yml + with: + tag_latest: ${{ inputs.tag_latest }} + docker_tag: ${{ inputs.docker_tag }} + container_name: ${{ matrix.container_name }} + base_folder: "projects" diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml new file mode 100644 index 0000000..d930699 --- /dev/null +++ b/.github/workflows/build_multi_arch_image.yml @@ -0,0 +1,184 @@ +name: Build and push docker image +'on': + workflow_call: + inputs: + tag_latest: + required: true + type: boolean + docker_tag: + required: true + type: string + container_name: + required: true + type: string + base_folder: + required: true + type: string + +jobs: + build_and_push_image: + name: Build image for ${{ inputs.container_name }} on ${{ matrix.arch }} + permissions: + contents: read + packages: write + attestations: write + id-token: write + runs-on: '${{ matrix.runner }}' + strategy: + fail-fast: false + matrix: + include: + - arch: amd64 + runner: ubuntu-22.04 + - arch: arm64 + runner: ubuntu-22.04-arm + steps: + - name: Free Disk Space for Docker + uses: endersonmenezes/free-disk-space@e6ed9b02e683a3b55ed0252f1ee469ce3b39a885 + with: + remove_android: true + remove_dotnet: true + remove_haskell: true + remove_tool_cache: true + rm_cmd: rm + remove_packages: >- + azure-cli google-cloud-cli microsoft-edge-stable + google-chrome-stable firefox postgresql* temurin-* *llvm* mysql* + dotnet-sdk-* + remove_packages_one_command: true + - name: Login to github container registry + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 + with: + registry: ghcr.io + username: ${{github.actor}} + password: ${{secrets.GITHUB_TOKEN}} + - name: Checkout code + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + with: + fetch-depth: 0 + - name: setup node + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f + with: + node-version-file: .tool-versions + + - name: make install + run: | + make install-node + + - name: Build container + run: | + echo "Building image..." + make build-image + + echo "Creating combined trivy ignore file" + # create combined trivy ignore file for use in trivy scan, combining common and specific ignore files if they exist + combined="src/${BASE_FOLDER}/${CONTAINER_NAME}/.trivyignore_combined.yaml" + common="src/common/.trivyignore.yaml" + specific="src/${BASE_FOLDER}/${CONTAINER_NAME}/.trivyignore.yaml" + echo "vulnerabilities:" > "$combined" + if [ -f "$common" ]; then sed -n '2,$p' "$common" >> "$combined"; fi + if [ -f "$specific" ]; then sed -n '2,$p' "$specific" >> "$combined"; fi + echo "Combined trivy ignore file created at $combined" + + env: + ARCHITECTURE: '${{ matrix.arch }}' + DOCKER_TAG: '${{ inputs.docker_tag }}' + CONTAINER_NAME: '${{ inputs.container_name }}' + BASE_VERSION: ${{ inputs.docker_tag}} + IMAGE_TAG: ":${{ inputs.docker_tag }}-${{ matrix.arch }}" + BASE_FOLDER: "${{ inputs.base_folder }}" + - name: Check docker vulnerabilities - json output + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + with: + scan-type: "image" + image-ref: "ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}:${{ inputs.docker_tag }}-${{ matrix.arch }}" + severity: "CRITICAL,HIGH" + scanners: "vuln" + vuln-type: "os,library" + format: "json" + output: "scan_results_docker.json" + exit-code: "0" + trivy-config: src/${{ inputs.base_folder }}/${{ inputs.container_name }}/trivy.yaml + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f + name: Upload scan results + with: + name: "scan_results_docker_${{ inputs.container_name }}_${{ matrix.arch }}.json" + path: scan_results_docker.json + - name: Check docker vulnerabilities - table output + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + with: + scan-type: "image" + image-ref: "ghcr.io/nhsdigital/eps-devcontainers/${{ inputs.container_name }}:${{ inputs.docker_tag }}-${{ matrix.arch }}" + severity: "CRITICAL,HIGH" + scanners: "vuln" + vuln-type: "os,library" + format: "table" + output: "scan_results_docker.txt" + exit-code: "1" + trivy-config: src/${{ inputs.base_folder }}/${{ inputs.container_name }}/trivy.yaml + + - name: Show docker vulnerability output + if: always() + run: | + echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers/base:${DOCKER_TAG}-${ARCHITECTURE}" + if [ -f scan_results_docker.txt ]; then + cat scan_results_docker.txt + fi + env: + ARCHITECTURE: '${{ matrix.arch }}' + DOCKER_TAG: '${{ inputs.docker_tag }}' + - name: Push tagged image + run: | + echo "Pushing image..." + docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" + env: + DOCKER_TAG: ${{ inputs.docker_tag }} + CONTAINER_NAME: '${{ inputs.container_name }}' + ARCHITECTURE: '${{ matrix.arch }}' + - name: Push latest image + if: ${{ inputs.tag_latest }} + run: | + docker tag "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-${ARCHITECTURE}" "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-${ARCHITECTURE}" + echo "Pushing image..." + docker push "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-${ARCHITECTURE}" + env: + DOCKER_TAG: ${{ inputs.docker_tag }} + CONTAINER_NAME: '${{ inputs.container_name }}' + ARCHITECTURE: '${{ matrix.arch }}' + publish_combined_image: + name: Publish combined image for ${{ inputs.container_name }} + runs-on: ubuntu-22.04 + needs: build_and_push_image + permissions: + contents: read + packages: write + attestations: write + id-token: write + steps: + - name: Login to github container registry + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 + with: + registry: ghcr.io + username: ${{github.actor}} + password: ${{secrets.GITHUB_TOKEN}} + + - name: Push multi-arch tagged image + run: | + docker buildx imagetools create -t "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" \ + "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-amd64" \ + "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}-arm64" + echo "## PUSHED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:${DOCKER_TAG}" >> "$GITHUB_STEP_SUMMARY" + env: + DOCKER_TAG: ${{ inputs.docker_tag }} + CONTAINER_NAME: '${{ inputs.container_name }}' + + - name: Push multi-arch latest image + if: ${{ inputs.tag_latest }} + run: | + docker buildx imagetools create -t "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" \ + "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-amd64" \ + "ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest-arm64" + echo "## PUSHED COMBINED IMAGE : ghcr.io/nhsdigital/eps-devcontainers/${CONTAINER_NAME}:latest" >> "$GITHUB_STEP_SUMMARY" + env: + DOCKER_TAG: ${{ inputs.docker_tag }} + CONTAINER_NAME: '${{ inputs.container_name }}' diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..9702368 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,47 @@ +name: merge to main workflow +on: + push: + branches: [main] + +jobs: + get_asdf_version: + runs-on: ubuntu-22.04 + outputs: + asdf_version: '${{ steps.asdf-version.outputs.version }}' + tag_format: '${{ steps.load-config.outputs.TAG_FORMAT }}' + steps: + - name: Checkout code + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + - name: Get asdf version + id: asdf-version + run: >- + echo "version=$(awk '!/^#/ && NF {print $1; exit}' + .tool-versions.asdf)" >> "$GITHUB_OUTPUT" + - name: Load config value + id: load-config + run: | + TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) + echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" + quality_checks: + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@5ccebbf821beef2de6abdce9e392b3cbeb4999e3 + needs: + - get_asdf_version + with: + asdfVersion: '${{ needs.get_asdf_version.outputs.asdf_version }}' + secrets: + SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}' + tag_release: + needs: [quality_checks, get_asdf_version] + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@e31e25273fb87450be4ef763ddbed4f531c45f8e + with: + dry_run: true + asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} + branch_name: main + tag_format: ${{ needs.get_asdf_version.outputs.tag_format }} + secrets: inherit + build_all_images: + needs: tag_release + uses: ./.github/workflows/build_all_images.yml + with: + docker_tag: '${{ needs.tag_release.outputs.version_tag }}' + tag_latest: false diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml new file mode 100644 index 0000000..3e39073 --- /dev/null +++ b/.github/workflows/pull_request.yml @@ -0,0 +1,94 @@ +name: pull_request +'on': + pull_request: + branches: + - main +env: + BRANCH_NAME: '${{ github.event.pull_request.head.ref }}' +jobs: + dependabot-auto-approve-and-merge: + needs: quality_checks + uses: >- + NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@5ccebbf821beef2de6abdce9e392b3cbeb4999e3 + secrets: + AUTOMERGE_APP_ID: '${{ secrets.AUTOMERGE_APP_ID }}' + AUTOMERGE_PEM: '${{ secrets.AUTOMERGE_PEM }}' + get_asdf_version: + runs-on: ubuntu-22.04 + outputs: + asdf_version: '${{ steps.asdf-version.outputs.version }}' + tag_format: '${{ steps.load-config.outputs.TAG_FORMAT }}' + steps: + - name: Checkout code + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + - name: Get asdf version + id: asdf-version + run: >- + echo "version=$(awk '!/^#/ && NF {print $1; exit}' + .tool-versions.asdf)" >> "$GITHUB_OUTPUT" + - name: Load config value + id: load-config + run: | + TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) + echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" + quality_checks: + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@5ccebbf821beef2de6abdce9e392b3cbeb4999e3 + needs: + - get_asdf_version + with: + asdfVersion: '${{ needs.get_asdf_version.outputs.asdf_version }}' + secrets: + SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}' + pr_title_format_check: + uses: >- + NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@5ccebbf821beef2de6abdce9e392b3cbeb4999e3 + get_issue_number: + runs-on: ubuntu-22.04 + needs: quality_checks + outputs: + issue_number: '${{ steps.get_issue_number.outputs.result }}' + version: '${{ steps.get_issue_number.outputs.version_number }}' + steps: + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd + name: get issue number + id: get_issue_number + with: + script: | + if (context.issue.number) { + // Return issue number if present + return context.issue.number; + } else { + // Otherwise return issue number from commit + return ( + await github.rest.repos.listPullRequestsAssociatedWithCommit({ + commit_sha: context.sha, + owner: context.repo.owner, + repo: context.repo.repo, + }) + ).data[0].number; + } + result-encoding: string + get_commit_id: + runs-on: ubuntu-22.04 + outputs: + commit_id: '${{ steps.commit_id.outputs.commit_id }}' + sha_short: '${{ steps.commit_id.outputs.sha_short }}' + steps: + - name: Checkout code + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + with: + ref: '${{ env.BRANCH_NAME }}' + - name: Get Commit ID + id: commit_id + run: | + # echo "commit_id=${{ github.sha }}" >> "$GITHUB_ENV" + echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT" + echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" + build_all_images: + needs: + - get_issue_number + - get_commit_id + uses: ./.github/workflows/build_all_images.yml + with: + docker_tag: 'pr-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}' + tag_latest: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..e9c34d5 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,48 @@ +name: release workflow +on: + workflow_dispatch: + schedule: + - cron: "0 18 * * 4" + +jobs: + get_asdf_version: + runs-on: ubuntu-22.04 + outputs: + asdf_version: '${{ steps.asdf-version.outputs.version }}' + tag_format: '${{ steps.load-config.outputs.TAG_FORMAT }}' + steps: + - name: Checkout code + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 + - name: Get asdf version + id: asdf-version + run: >- + echo "version=$(awk '!/^#/ && NF {print $1; exit}' + .tool-versions.asdf)" >> "$GITHUB_OUTPUT" + - name: Load config value + id: load-config + run: | + TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml) + echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT" + quality_checks: + uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@5ccebbf821beef2de6abdce9e392b3cbeb4999e3 + needs: + - get_asdf_version + with: + asdfVersion: '${{ needs.get_asdf_version.outputs.asdf_version }}' + secrets: + SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}' + tag_release: + needs: [quality_checks, get_asdf_version] + uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release.yml@e31e25273fb87450be4ef763ddbed4f531c45f8e + with: + dry_run: false + asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }} + branch_name: main + tag_format: ${{ needs.get_asdf_version.outputs.tag_format }} + secrets: inherit + build_all_images: + needs: tag_release + uses: ./.github/workflows/build_all_images.yml + with: + docker_tag: '${{ needs.tag_release.outputs.version_tag }}' + tag_latest: true diff --git a/.gitignore b/.gitignore index 42dd729..7061e3a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ node_modules/ .venv/ src/base/.devcontainer/language_versions/ +.trivyignore_combined.yaml +.out/ diff --git a/.tool-versions b/.tool-versions index 07d6f84..e2bc3a2 100644 --- a/.tool-versions +++ b/.tool-versions @@ -5,4 +5,4 @@ shellcheck 0.11.0 direnv 2.37.1 actionlint 1.7.10 ruby 3.3.0 -trivy 0.68.2 +trivy 0.69.1 diff --git a/.trivyignore.yaml b/.trivyignore.yaml new file mode 100644 index 0000000..62fcf7b --- /dev/null +++ b/.trivyignore.yaml @@ -0,0 +1,529 @@ +vulnerabilities: + - id: CVE-2026-25547 + statement: "@isaacs/brace-expansion has Uncontrolled Resource Consumption" + purls: + - "pkg:npm/%40isaacs/brace-expansion@5.0.0" + expired_at: 2026-06-01 + - id: CVE-2021-3807 + statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" + purls: + - "pkg:npm/ansi-regex@3.0.0" + expired_at: 2026-06-01 + - id: CVE-2021-3807 + statement: "nodejs-ansi-regex Regular expression denial of service (ReDoS) matching ANSI escape codes" + purls: + - "pkg:npm/ansi-regex@5.0.0" + expired_at: 2026-06-01 + - id: CVE-2025-64756 + statement: "glob glob Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@10.4.5" + expired_at: 2026-06-01 + - id: CVE-2025-64756 + statement: "glob glob Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@11.0.3" + expired_at: 2026-06-01 + - id: CVE-2022-25881 + statement: "http-cache-semantics Regular Expression Denial of Service (ReDoS) vulnerability" + purls: + - "pkg:npm/http-cache-semantics@4.1.0" + expired_at: 2026-06-01 + - id: CVE-2024-29415 + statement: "node-ip Incomplete fix for CVE-2023-42282" + purls: + - "pkg:npm/ip@1.1.5" + expired_at: 2026-06-01 + - id: CVE-2022-3517 + statement: "nodejs-minimatch ReDoS via the braceExpand function" + purls: + - "pkg:npm/minimatch@3.0.4" + expired_at: 2026-06-01 + - id: CVE-2026-0775 + statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" + purls: + - "pkg:npm/npm@11.6.2" + expired_at: 2026-06-01 + - id: CVE-2022-29244 + statement: "nodejs npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace" + purls: + - "pkg:npm/npm@8.5.0" + expired_at: 2026-06-01 + - id: CVE-2026-0775 + statement: "npmcli npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability" + purls: + - "pkg:npm/npm@8.5.0" + expired_at: 2026-06-01 + - id: CVE-2022-25883 + statement: "nodejs-semver Regular expression denial of service" + purls: + - "pkg:npm/semver@7.3.5" + expired_at: 2026-06-01 + - id: CVE-2026-23745 + statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@6.1.11" + expired_at: 2026-06-01 + - id: CVE-2026-23950 + statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@6.1.11" + expired_at: 2026-06-01 + - id: CVE-2026-24842 + statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@6.1.11" + expired_at: 2026-06-01 + - id: CVE-2026-23745 + statement: "node-tar tar node-tar Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-06-01 + - id: CVE-2026-23950 + statement: "node-tar tar node-tar Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-06-01 + - id: CVE-2026-24842 + statement: "node-tar tar node-tar Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-06-01 + - id: CVE-2022-40897 + statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" + purls: + - "pkg:pypi/setuptools@56.0.0" + expired_at: 2026-06-01 + - id: CVE-2024-6345 + statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" + purls: + - "pkg:pypi/setuptools@56.0.0" + expired_at: 2026-06-01 + - id: CVE-2025-47273 + statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" + purls: + - "pkg:pypi/setuptools@56.0.0" + expired_at: 2026-06-01 + - id: CVE-2022-40897 + statement: "pypa-setuptools Regular Expression Denial of Service (ReDoS) in package_index.py" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-06-01 + - id: CVE-2024-6345 + statement: "pypa/setuptools Remote code execution via download functions in the package_index module in pypa/setuptools" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-06-01 + - id: CVE-2025-47273 + statement: "setuptools Path Traversal Vulnerability in setuptools PackageIndex" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-06-01 + - id: CVE-2024-49761 + statement: "rexml REXML ReDoS vulnerability" + purls: + - "pkg:gem/rexml@3.2.6" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.25.5" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.25.5" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-06-01 + - id: CVE-2025-22874 + statement: "crypto/x509 Usage of ExtKeyUsageAny disables policy validation in crypto/x509" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.24.3" + expired_at: 2026-06-01 + - id: CVE-2025-66564 + statement: "github.com/sigstore/timestamp-authority Sigstore Timestamp Authority Denial of Service via excessive OID or Content-Type header parsing" + purls: + - "pkg:golang/github.com/sigstore/timestamp-authority@v1.2.2" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.23.4" + expired_at: 2026-06-01 + - id: CVE-2023-24538 + statement: "golang html/template backticks not treated as string delimiters" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24540 + statement: "golang html/template improper handling of JavaScript whitespace" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2024-24790 + statement: "golang net/netip Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-24675 + statement: "golang encoding/pem fix stack overflow in Decode" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-27664 + statement: "golang net/http handle server errors after sending GOAWAY" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-28131 + statement: "golang encoding/xml stack exhaustion in Decoder.Skip" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-28327 + statement: "golang crypto/elliptic panic caused by oversized scalar" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-2879 + statement: "golang archive/tar github.com/vbatts/tar-split unbounded memory consumption when reading headers" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-2880 + statement: "golang net/http/httputil ReverseProxy should not forward unparseable query parameters" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-29804 + statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30580 + statement: "golang os/exec Code injection in Cmd.Start" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30630 + statement: "golang io/fs stack exhaustion in Glob" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30631 + statement: "golang compress/gzip stack exhaustion in Reader.Read" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30632 + statement: "golang path/filepath stack exhaustion in Glob" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30633 + statement: "golang encoding/xml stack exhaustion in Unmarshal" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30634 + statement: "ELSA-2022-17957 ol8addon security update (IMPORTANT)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-30635 + statement: "golang encoding/gob stack exhaustion in Decoder.Decode" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-32189 + statement: "golang math/big decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41715 + statement: "golang regexp/syntax limit memory used by parsing regexps" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41716 + statement: "Due to unsanitized NUL values, attackers may be able to maliciously se ..." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41720 + statement: "golang os, net/http avoid escapes from os.DirFS and http.Dir on Windows" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41722 + statement: "golang path/filepath path-filepath filepath.Clean path traversal" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41723 + statement: "golang.org/x/net/http2 avoid quadratic complexity in HPACK decoding" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41724 + statement: "golang crypto/tls large handshake records may cause panics" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2022-41725 + statement: "golang net/http, mime/multipart denial of service from excessive resource consumption" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24534 + statement: "golang net/http, net/textproto denial of service from excessive memory allocation" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24536 + statement: "golang net/http, net/textproto, mime/multipart denial of service from excessive resource consumption" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24537 + statement: "golang go/parser Infinite loop in parsing" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-24539 + statement: "golang html/template improper sanitization of CSS values" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-29400 + statement: "golang html/template improper handling of empty HTML attributes" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-29403 + statement: "golang runtime unexpected behavior of setuid/setgid binaries" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-39325 + statement: "golang net/http, x/net/http2 rapid stream resets can cause excessive work (CVE-2023-44487)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-45283 + statement: "The filepath package does not recognize paths with a prefix as sp ..." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-45287 + statement: "golang crypto/tls Timing Side Channel attack in RSA based TLS key exchanges." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2023-45288 + statement: "golang net/http, x/net/http2 unlimited number of CONTINUATION frames causes DoS" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2024-34156 + statement: "encoding/gob golang Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-47907 + statement: "database/sql Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-58183 + statement: "golang archive/tar Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-06-01 + - id: CVE-2024-25621 + statement: "github.com/containerd/containerd containerd local privilege escalation" + purls: + - "pkg:golang/github.com/containerd/containerd/v2@v2.1.4" + expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: "golang net/url Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: "golang archive/zip Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-06-01 + - id: CVE-2025-61729 + statement: "crypto/x509 golang Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-06-01 + - id: CVE-2024-35870 + statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2024-53179 + statement: "kernel: smb: client: fix use-after-free of signing key" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-21780 + statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-37899 + statement: "kernel: ksmbd: fix use-after-free in session logoff" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-38118 + statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=amd64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2024-35870 + statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2024-53179 + statement: "kernel: smb: client: fix use-after-free of signing key" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-21780 + statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() " + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-37899 + statement: "kernel: ksmbd: fix use-after-free in session logoff" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-38118 + statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-168.178?arch=arm64\u0026distro=ubuntu-22.04" + expired_at: 2026-06-01 + - id: CVE-2025-68121 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-61730 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2024-35870 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2024-53179 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-37849 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-37899 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2025-38118 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-26007 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-24842 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-23949 + statement: "CHANGE ME" + expired_at: 2026-06-01 + - id: CVE-2026-24049 + statement: "CHANGE ME" + expired_at: 2026-06-01 diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..65cf5ff --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,76 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +In the interest of fostering an open and welcoming environment, we as +contributors and maintainers pledge to making participation in our project and +our community a harassment-free experience for everyone, regardless of age, body +size, disability, ethnicity, sex characteristics, gender identity and expression, +level of experience, education, socio-economic status, nationality, personal +appearance, race, religion, or sexual identity and orientation. + +## Our Standards + +Examples of behavior that contributes to creating a positive environment +include: + +* Using welcoming and inclusive language +* Being respectful of differing viewpoints and experiences +* Gracefully accepting constructive criticism +* Focusing on what is best for the community +* Showing empathy towards other community members + +Examples of unacceptable behavior by participants include: + +* The use of sexualized language or imagery and unwelcome sexual attention or + advances +* Trolling, insulting/derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or electronic + address, without explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Our Responsibilities + +Project maintainers are responsible for clarifying the standards of acceptable +behavior and are expected to take appropriate and fair corrective action in +response to any instances of unacceptable behavior. + +Project maintainers have the right and responsibility to remove, edit, or +reject comments, commits, code, wiki edits, issues, and other contributions +that are not aligned to this Code of Conduct, or to ban temporarily or +permanently any contributor for other behaviors that they deem inappropriate, +threatening, offensive, or harmful. + +## Scope + +This Code of Conduct applies both within project spaces and in public spaces +when an individual is representing the project or its community. Examples of +representing a project or community include using an official project e-mail +address, posting via an official social media account, or acting as an appointed +representative at an online or offline event. Representation of a project may be +further defined and clarified by project maintainers. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported by contacting the project team. All +complaints will be reviewed and investigated and will result in a response that +is deemed necessary and appropriate to the circumstances. The project team is +obligated to maintain confidentiality with regard to the reporter of an incident. +Further details of specific enforcement policies may be posted separately. + +Project maintainers who do not follow or enforce the Code of Conduct in good +faith may face temporary or permanent repercussions as determined by other +members of the project's leadership. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, +available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html + +[homepage]: https://www.contributor-covenant.org + +For answers to common questions about this code of conduct, see +https://www.contributor-covenant.org/faq diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..9f62523 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,61 @@ +# Contribution Guidelines + +## Raising an Issue + +If you raise an issue against this repository, please include as much information as possible to reproduce any bugs, +or specific locations in the case of content errors. + +## Contributing code + +To contribute code, please fork the repository and raise a pull request. + +Ideally pull requests should be fairly granular and aim to solve one problem each. It would also be helpful if they +linked to an issue. If the maintainers cannot understand why a pull request was raised, it will be rejected, +so please explain why the changes need to be made (unless it is self-evident). + +### Merge responsibility + +- It is the responsibility of the reviewer to merge branches they have approved. +- It is the responsibility of the author of the merge to ensure their merge is in a mergeable state. +- It is the responsibility of the maintainers to ensure the merge process is unambiguous and automated where possible. + +### Branch naming + +Branch names should be of the format: + +`aea-nnn-short-issue-description` + +Multiple branches are permitted for the same ticket. + +### Commit messages + +We do not enforce any conventions on commit messages to a branch, as we use squash commits when merging to main branch. + +Commits from a pull request get squashed into a single commit on merge, using the pull request title as the commit message. +Please format your pull request title using tags from [ESLint Convention](https://github.com/conventional-changelog/conventional-changelog/tree/master/packages/conventional-changelog-eslint) as follows: + +```text +Tag: [AEA-NNNN] - Short description +``` + +Tag can be one of: + +- `Fix` - for a bug fix. (Patch release) +- `Update` - either for a backwards-compatible enhancement or for a rule change that adds reported problems. (Patch release) +- `New` - implemented a new feature. (Minor release) +- `Breaking` - for a backwards-incompatible enhancement or feature. (Major release) +- `Docs` - changes to documentation only. (Patch release) +- `Build` - changes to build process only. (No release) +- `Upgrade` - for a dependency upgrade. (Patch release) +- `Chore` - for refactoring, adding tests, etc. (anything that isn't user-facing). (Patch release) + +If the current release is x.y.z then +- a patch release increases z by 1 +- a minor release increases y by 1 +- a major release increases x by 1 + +Correct tagging is necessary for our automated versioning and release process ([Release](./RELEASE.md)). + +### Changelog + +Release changelogs are generated from the titles of pull requests merged into the `main` branch. Please ensure that your pull request title is sufficiently descriptive of the changes made. diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..0ba95e8 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Crown Copyright (c) + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/Makefile b/Makefile index 0fc362a..686c788 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,14 @@ -CONTAINER_PREFIX=ghcr.io/nhsdigital/eps-devcontainer- -CONTAINER_NAME=base -IMAGE_NAME=${CONTAINER_PREFIX}$(CONTAINER_NAME) -WORKSPACE_FOLDER=. +CONTAINER_PREFIX=ghcr.io/nhsdigital/eps-devcontainers/ + +ifneq ($(strip $(PLATFORM)),) +PLATFORM_FLAG=--platform $(PLATFORM) +endif + +guard-%: + @ if [ "${${*}}" = "" ]; then \ + echo "Environment variable $* not set"; \ + exit 1; \ + fi install: install-python install-node install-hooks @@ -14,20 +21,52 @@ install-node: install-hooks: install-python poetry run pre-commit install --install-hooks --overwrite -install-hooks: -build-base-image: generate-language-version-files - CONTAINER_NAME=$(CONTAINER_NAME) \ - devcontainer build \ - --workspace-folder ./src/base/ \ +build-image: guard-CONTAINER_NAME guard-BASE_VERSION guard-BASE_FOLDER + npx devcontainer build \ + --workspace-folder ./src/$${BASE_FOLDER}/$${CONTAINER_NAME} \ --push false \ - --image-name "${IMAGE_NAME}" + --label "org.opencontainers.image.revision=$$DOCKER_TAG" \ + --image-name "${CONTAINER_PREFIX}$${CONTAINER_NAME}${IMAGE_TAG}" -generate-language-version-files: - ./scripts/generate_language_version_files.sh +scan-image: guard-CONTAINER_NAME guard-BASE_FOLDER + @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ + common="src/common/.trivyignore.yaml"; \ + specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \ + echo "vulnerabilities:" > "$$combined"; \ + if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \ + if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi + trivy image \ + --severity HIGH,CRITICAL \ + --config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \ + --scanners vuln \ + --exit-code 1 \ + --format table "${CONTAINER_PREFIX}$${CONTAINER_NAME}" -scan-base-image: +scan-image-json: guard-CONTAINER_NAME guard-BASE_FOLDER + @combined="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore_combined.yaml"; \ + common="src/common/.trivyignore.yaml"; \ + specific="src/$${BASE_FOLDER}/$${CONTAINER_NAME}/.trivyignore.yaml"; \ + echo "vulnerabilities:" > "$$combined"; \ + if [ -f "$$common" ]; then sed -n '2,$$p' "$$common" >> "$$combined"; fi; \ + if [ -f "$$specific" ]; then sed -n '2,$$p' "$$specific" >> "$$combined"; fi + mkdir -p .out trivy image \ --severity HIGH,CRITICAL \ - --ignorefile .trivyignore.yaml \ + --config src/${BASE_FOLDER}/${CONTAINER_NAME}/trivy.yaml \ + --scanners vuln \ --exit-code 1 \ - --format table ${IMAGE_NAME} + --format json \ + --output .out/scan.out.json "${CONTAINER_PREFIX}$${CONTAINER_NAME}" + +shell-image: guard-CONTAINER_NAME + docker run -it \ + "${CONTAINER_PREFIX}$${CONTAINER_NAME}${IMAGE_TAG}" \ + bash + +lint: lint-githubactions + +test: + echo "Not implemented" + +lint-githubactions: + actionlint diff --git a/README.md b/README.md new file mode 100644 index 0000000..b018086 --- /dev/null +++ b/README.md @@ -0,0 +1,158 @@ +EPS DEV CONTAINERS +================== + +# Introduction +This repo contains code to build a vscode devcontainers that can be used as a base image for all EPS projects. +Images are build for amd64 and arm64 and a manifest file created that can be pulled for both architectures. This is then pushed to github container registry. +Images are built using using https://github.com/devcontainers/cli. + +We build a base image based on mcr.microsoft.com/devcontainers/base:ubuntu-22.04 that other images are then based on + +The base image contains + - latest os packages + - asdf + - aws cli + - aws sam cli + + It installs the following dev container features + - docker outside of docker + - github cli + +As the vscode user the following also happens + +asdf install and setup for these so they are available globally as vscode user + - shellcheck + - direnv + - actionlint + - ruby (for github pages) + - trivy + +Install and setup git-secrets + +# Using the images +In each eps project, you can put this in the devcontainer Dockerfile. You should not need to add any features. +``` +FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13: + +USER root +# specify DOCKER_GID to force container docker group id to match host +RUN if [ -n "${DOCKER_GID}" ]; then \ + if ! getent group docker; then \ + groupadd -g ${DOCKER_GID} docker; \ + else \ + groupmod -g ${DOCKER_GID} docker; \ + fi && \ + usermod -aG docker vscode; \ + fi + +USER vscode +``` + +# Project structure +We have 3 types of dev container. These are defined under src + +`base` - this is the base image that all others are based on. +`languages` - this installs specific versions of node and python. +`projects` - this is used for projects where more customization is needed than just a base language image + +Each image to be built contains a .devcontainer folder that defines how the devcontainer should be built. At a minimum, this should contain a devcontainer.json file. See https://containers.dev/implementors/json_reference/ for options for this + +Images under languages should point to a dockerfile under src/common that is based off the base image. This also runs `.devcontainer/scripts/root_install.sh` and `.devcontainer/scripts/vscode_install.sh` as vscode user as part of the build + +We use trivy to scan for vulnerabilities in the built docker images. Known vulnerabilities in the base image are in `src/common/.trivyignore.yaml`. Vulnerabilities in specific images are in `.trivyignore.yaml` file in each images folder. These are combined before running a scan to exclude know vulnerabilities + +# Pull requests and merge to main process +For each pull request, and merge to main, images are built and scanned using trivy, but the images are not pushed to github container registry +Docker images are built for each pull request, and on merges to main. +Docker images are built for amd64 and arm64 architecture, and a combined manifest is created and pushed as part of the build. + +The base image is built first, and then language images, and finally project images. + +Docker images are scanned for vulnerabilities using trivy as part of a build step, and the build fails if vulnerabilities are found not in .trivyignore file. + +For pull requests, images are tagged with the pr--. +For merges to main, images are tagged with the + +# Release workflow +There is a release workflow that runs weekly at 18:00 on Thursday and on demand. +This creates a new release tag, builds all images, and pushes them to github container registry. +Images are tagged with the release tag, and also with latest + +# Local testing +## Building images +You can use these commands to build images + +Base image +``` +CONTAINER_NAME=base \ + BASE_VERSION=latest \ + BASE_FOLDER=. \ + make build-image +``` +Language images +``` +CONTAINER_NAME=node_24_python_3_12 \ + BASE_VERSION=latest \ + BASE_FOLDER=languages \ + make build-image +``` +Project images +``` +CONTAINER_NAME=fhir_facade_api \ + BASE_VERSION=latest \ + BASE_FOLDER=projects \ + make build-image +``` + +## Scanning images +You can use these commands to scan images +Base image +``` +CONTAINER_NAME=base \ + BASE_FOLDER=. \ + make scan-image +``` +Language images +``` +CONTAINER_NAME=node_24_python_3_12 \ + BASE_FOLDER=languages \ + make scan-image +``` +Project images +``` +CONTAINER_NAME=fhir_facade_api \ + BASE_FOLDER=projects \ + make scan-image +``` + +## Interactive shell on image +You can use this to start an interactive shell on built images +base image +``` +CONTAINER_NAME=base \ + make shell-image +``` +Language images +``` +CONTAINER_NAME=node_24_python_3_12 \ + make shell-image +``` +Project images +``` +CONTAINER_NAME=fhir_facade_api \ + make shell-image +``` + + +## Generating a .trivyignore file +You can generate a .trivyignore file for known vulnerabilities by either downloading the json scan output generated by the build, or by generating it locally using the scanning images commands above with a make target of scan-image-json + +If generated locally, then the output goes into .out/scan.out.json + +Once you have the scan output, use the following to generate a .trivyignore +``` +poetry run python \ + scripts/trivy_to_trivyignore.py \ + --input .out/scan.out.json \ + --output src/common/.trivyignore.yaml +``` diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..15baeac --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,35 @@ +# Security + +NHS England takes security and the protection of private data extremely seriously. If you believe you have found a vulnerability or other issue which has compromised or could compromise the security of any of our systems and/or private data managed by our systems, please do not hesitate to contact us using the methods outlined below. + +## Table of Contents + +- [Security](#security) + - [Table of Contents](#table-of-contents) + - [Reporting a vulnerability](#reporting-a-vulnerability) + - [Email](#email) + - [NCSC](#ncsc) + - [General Security Enquiries](#general-security-enquiries) + +## Reporting a vulnerability + +Please note, email is our preferred method of receiving reports. + +### Email + +If you wish to notify us of a vulnerability via email, please include detailed information on the nature of the vulnerability and any steps required to reproduce it. + +You can reach us at: + +- [epssupport@nhs.net](epssupport@nhs.net) +- [cybersecurity@nhs.net](cybersecurity@nhs.net) + +### NCSC + +You can send your report to the National Cyber Security Centre, who will assess your report and pass it on to NHS England if necessary. + +You can report vulnerabilities here: [https://www.ncsc.gov.uk/information/vulnerability-reporting](https://www.ncsc.gov.uk/information/vulnerability-reporting) + +## General Security Enquiries + +If you have general enquiries regarding our cybersecurity, please reach out to us at [cybersecurity@nhs.net](cybersecurity@nhs.net) diff --git a/scripts/generate_language_version_files.sh b/scripts/generate_language_version_files.sh deleted file mode 100755 index b10626f..0000000 --- a/scripts/generate_language_version_files.sh +++ /dev/null @@ -1,102 +0,0 @@ -#!/usr/bin/env bash - -# Define repositories to fetch .tool-versions from -REPOS=( - "NHSDigital/electronic-prescription-service-clinical-prescription-tracker" - "NHSDigital/prescriptionsforpatients" - "NHSDigital/prescriptions-for-patients" - "NHSDigital/electronic-prescription-service-api" - "NHSDigital/electronic-prescription-service-release-notes" - "NHSDigital/electronic-prescription-service-account-resources" - "NHSDigital/eps-prescription-status-update-api" - "NHSDigital/eps-FHIR-validator-lambda" - "NHSDigital/eps-load-test" - "NHSDigital/eps-prescription-tracker-ui" - "NHSDigital/eps-aws-dashboards" - "NHSDigital/eps-cdk-utils" - "NHSDigital/eps-vpc-resources" - "NHSDigital/eps-assist-me" - "NHSDigital/validation-service-fhir-r4" - "NHSDigital/electronic-prescription-service-get-secrets" - "NHSDigital/nhs-fhir-middy-error-handler" - "NHSDigital/nhs-eps-spine-client" - "NHSDigital/electronic-prescription-service-api-regression-tests" - "NHSDigital/eps-action-sbom" - "NHSDigital/eps-action-cfn-lint" - "NHSDigital/eps-common-workflows" - "NHSDigital/eps-storage-terraform" - "NHSDigital/eps-spine-shared" -) - - -# Define output files -NODEJS_FILE="/workspaces/eps-devcontainers/src/base/.devcontainer/language_versions/nodejs-versions.txt" -PYTHON_FILE="/workspaces/eps-devcontainers/src/base/.devcontainer/language_versions/python-versions.txt" -JAVA_FILE="/workspaces/eps-devcontainers/src/base/.devcontainer/language_versions/java-versions.txt" -TERRAFORM_FILE="/workspaces/eps-devcontainers/src/base/.devcontainer/language_versions/terraform-versions.txt" -GOLANG_FILE="/workspaces/eps-devcontainers/src/base/.devcontainer/language_versions/golang-versions.txt" -ALL_LANGUAGES_FILE="/workspaces/eps-devcontainers/src/base/.devcontainer/language_versions/language-versions.txt" -# Clear existing files -true > "$NODEJS_FILE" -true > "$PYTHON_FILE" -true > "$JAVA_FILE" -true > "$TERRAFORM_FILE" -true > "$GOLANG_FILE" -true > "$ALL_LANGUAGES_FILE" - -# Loop through repositories and fetch .tool-versions -for repo in "${REPOS[@]}"; do - TEMP_FILE="/tmp/.tool-versions" - - # Fetch .tool-versions from the repository - gh api -H 'Accept: application/vnd.github.v3.raw' "repos/${repo}/contents/.tool-versions" > "$TEMP_FILE" - - # Extract versions and append to respective files - if [ -f "$TEMP_FILE" ]; then - echo "" >> ${TEMP_FILE} - while IFS= read -r line; do - tool=$(echo "$line" | awk '{print $1}') - version=$(echo "$line" | awk '{print $2}') - - case $tool in - nodejs) - echo "$version" >> "$NODEJS_FILE" - echo "nodejs $version : ${repo}" >> "$ALL_LANGUAGES_FILE" - ;; - python) - echo "$version" >> "$PYTHON_FILE" - echo "python $version : ${repo}" >> "$ALL_LANGUAGES_FILE" - ;; - java) - echo "$version" >> "$JAVA_FILE" - echo "java $version : ${repo}" >> "$ALL_LANGUAGES_FILE" - ;; - terraform) - echo "$version" >> "$TERRAFORM_FILE" - echo "terraform $version : ${repo}" >> "$ALL_LANGUAGES_FILE" - ;; - golang) - echo "$version" >> "$GOLANG_FILE" - echo "golang $version : ${repo}" >> "$ALL_LANGUAGES_FILE" - ;; - poetry) - echo "poetry $version : ${repo}" >> "$ALL_LANGUAGES_FILE" - ;; - esac - done < "$TEMP_FILE" - fi - - # Remove temporary file - rm -f "$TEMP_FILE" -done - -# Remove duplicate entries from the files -sort -u "$NODEJS_FILE" -o "$NODEJS_FILE" -sort -u "$PYTHON_FILE" -o "$PYTHON_FILE" -sort -u "$JAVA_FILE" -o "$JAVA_FILE" -sort -u "$TERRAFORM_FILE" -o "$TERRAFORM_FILE" -sort -u "$GOLANG_FILE" -o "$GOLANG_FILE" -sort -u "$ALL_LANGUAGES_FILE" -o "$ALL_LANGUAGES_FILE" - -echo "Version files generated successfully." -cat "$ALL_LANGUAGES_FILE" diff --git a/scripts/trivy_to_trivyignore.py b/scripts/trivy_to_trivyignore.py new file mode 100644 index 0000000..bcbb023 --- /dev/null +++ b/scripts/trivy_to_trivyignore.py @@ -0,0 +1,151 @@ +#!/usr/bin/env python3 +"""Convert Trivy JSON output into a .trivyignore YAML file.""" + +import argparse +import datetime as dt +import json +from pathlib import Path +from typing import Any, Dict, Iterable, List, Optional + + +def add_months(date_value: dt.date, months: int) -> dt.date: + """ + Add months to a date, clamping the day to the last day of the target month. + """ + if months == 0: + return date_value + + month_index = date_value.month - 1 + months + year = date_value.year + month_index // 12 + month = month_index % 12 + 1 + + # Clamp day to the last day of the target month. + next_year = year + (1 if month == 12 else 0) + next_month = 1 if month == 12 else month + 1 + first_of_next = dt.date(next_year, next_month, 1) + last_day = first_of_next - dt.timedelta(days=1) + day = min(date_value.day, last_day.day) + return dt.date(year, month, day) + + +def extract_vulnerabilities(data: Dict[str, Any]) -> List[Dict[str, Any]]: + """Collect vulnerability entries from Trivy JSON output.""" + results = data.get("Results", []) + if not isinstance(results, list): + return [] + + vulnerabilities: List[Dict[str, Any]] = [] + for result in results: + if not isinstance(result, dict): + continue + for vuln in result.get("Vulnerabilities", []) or []: + if isinstance(vuln, dict): + vulnerabilities.append(vuln) + return vulnerabilities + + +def normalize_purl(vuln: Dict[str, Any]) -> Optional[str]: + identifier = vuln.get("PkgIdentifier") + if isinstance(identifier, dict): + purl = identifier.get("PURL") + if isinstance(purl, str) and purl.strip(): + return purl.strip() + return None + + +def build_entries( + vulnerabilities: Iterable[Dict[str, Any]], + expires_on: dt.date +) -> List[Dict[str, Any]]: + """Build YAML entries with de-duplication by CVE, merging PURLs.""" + entries: Dict[str, Dict[str, Any]] = {} + + for vuln in vulnerabilities: + vuln_id = vuln.get("VulnerabilityID") + title = vuln.get("Title") + purl = normalize_purl(vuln) + + if not isinstance(vuln_id, str) or not vuln_id.strip(): + continue + if not isinstance(title, str) or not title.strip(): + continue + + key = vuln_id.strip() + entry = entries.get(key) + if entry is None: + entry = { + "id": key, + "statement": title.strip(), + "purls": set(), + "expired_at": expires_on.isoformat(), + } + entries[key] = entry + + if purl: + entry["purls"].add(purl) + + merged_entries: List[Dict[str, Any]] = [] + for entry in entries.values(): + purls = sorted(entry["purls"]) + if purls: + entry["purls"] = purls + else: + entry.pop("purls", None) + merged_entries.append(entry) + + return merged_entries + + +def write_yaml(entries: List[Dict[str, Any]], output_path: Path) -> None: + """Write entries to a YAML file without external dependencies.""" + lines: List[str] = ["vulnerabilities:"] + for entry in entries: + lines.append(f" - id: {entry['id']}") + lines.append(f" statement: {json.dumps(entry['statement'])}") + if "purls" in entry: + lines.append(" purls:") + for purl in entry["purls"]: + lines.append(f" - {json.dumps(purl)}") + lines.append(f" expired_at: {entry['expired_at']}") + + output_path.parent.mkdir(parents=True, exist_ok=True) + output_path.write_text("\n".join(lines) + "\n", encoding="utf-8") + + +def parse_args() -> argparse.Namespace: + parser = argparse.ArgumentParser( + description="Convert Trivy JSON output to .trivyignore YAML." + ) + parser.add_argument( + "--input", + required=True, + help="Path to the Trivy JSON output file.", + ) + parser.add_argument( + "--output", + required=True, + help="Path to write the .trivyignore YAML file.", + ) + return parser.parse_args() + + +def main() -> int: + args = parse_args() + input_path = Path(args.input) + output_path = Path(args.output) + + if not input_path.is_file(): + raise FileNotFoundError(f"Input file not found: {input_path}") + + data = json.loads(input_path.read_text(encoding="utf-8")) + vulnerabilities = extract_vulnerabilities(data) + + expires_on = add_months(dt.date.today(), 6) + entries = build_entries(vulnerabilities, expires_on) + + write_yaml(entries, output_path) + return 0 + + +if __name__ == "__main__": + raise SystemExit(main()) diff --git a/src/base/.devcontainer/.tool-versions b/src/base/.devcontainer/.tool-versions index 79ed779..9d748cb 100644 --- a/src/base/.devcontainer/.tool-versions +++ b/src/base/.devcontainer/.tool-versions @@ -2,4 +2,4 @@ shellcheck 0.11.0 direnv 2.37.1 actionlint 1.7.10 ruby 3.3.0 -trivy 0.68.2 +trivy 0.69.1 diff --git a/src/base/.devcontainer/Dockerfile b/src/base/.devcontainer/Dockerfile index 6c0e8d6..846d4c7 100644 --- a/src/base/.devcontainer/Dockerfile +++ b/src/base/.devcontainer/Dockerfile @@ -2,13 +2,17 @@ FROM mcr.microsoft.com/devcontainers/base:ubuntu-22.04 ARG TARGETARCH ENV TARGETARCH=${TARGETARCH} -ARG SCRIPTS_DIR=/usr/local/share/eps/ +ARG SCRIPTS_DIR=/usr/local/share/eps ARG CONTAINER_NAME ENV CONTAINER_NAME=${CONTAINER_NAME} ENV SCRIPTS_DIR=${SCRIPTS_DIR} +LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers +LABEL org.opencontainers.image.description="EPS base devcontainer" +LABEL org.opencontainers.image.licenses=MIT + ARG ASDF_VERSION -COPY .tool-versions.asdf /tmp/.tool-versions.asdf +COPY .tool-versions.asdf ${SCRIPTS_DIR}/${CONTAINER_NAME}/.tool-versions.asdf COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME} WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} @@ -18,12 +22,8 @@ USER vscode ENV PATH="/home/vscode/.asdf/shims/:$PATH" WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} -COPY .tool-versions.asdf /home/vscode/.tool-versions.asdf -COPY .tool-versions /home/vscode/.tool-versions -COPY language_versions/nodejs-versions.txt /tmp/nodejs-versions.txt -COPY language_versions/python-versions.txt /tmp/python-versions.txt -COPY language_versions/java-versions.txt /tmp/java-versions.txt -COPY language_versions/terraform-versions.txt /tmp/terraform-versions.txt -COPY language_versions/golang-versions.txt /tmp/golang-versions.txt +COPY --chown=vscode:vscode .tool-versions.asdf /home/vscode/.tool-versions.asdf +COPY --chown=vscode:vscode .tool-versions /home/vscode/.tool-versions RUN ./vscode_install.sh +WORKDIR /home/vscode diff --git a/src/base/.devcontainer/devcontainer.json b/src/base/.devcontainer/devcontainer.json index ae0f548..6d879af 100644 --- a/src/base/.devcontainer/devcontainer.json +++ b/src/base/.devcontainer/devcontainer.json @@ -1,11 +1,13 @@ // For format details, see https://aka.ms/devcontainer.json. For config options, see the // README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu { - "name": "Ubuntu", + "name": "EPS Devcontainer Base", // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile "build": { "dockerfile": "Dockerfile", - "args": {} + "args": { + "CONTAINER_NAME": "eps_devcontainer_base" + } }, "runArgs": [ "--network=host" @@ -17,7 +19,10 @@ "moby": "true", "installDockerBuildx": "true" }, - "ghcr.io/devcontainers/features/github-cli:1": {} + "ghcr.io/devcontainers/features/github-cli:1": {}, + "ghcr.io/devcontainers/features/aws-cli:1": { + "version": "latest" + } } } diff --git a/src/base/.devcontainer/scripts/root_install.sh b/src/base/.devcontainer/scripts/root_install.sh index fd3a1ae..5457b9f 100755 --- a/src/base/.devcontainer/scripts/root_install.sh +++ b/src/base/.devcontainer/scripts/root_install.sh @@ -1,29 +1,27 @@ #!/usr/bin/env bash set -e - -# Install essential packages first -apt-get update -apt-get install -y \ - curl \ - wget \ - git \ - sudo \ - unzip -apt-get clean -rm -rf /var/lib/apt/lists/* +export DEBIAN_FRONTEND=noninteractive # Add amd64 architecture if on arm64 if [ "$TARGETARCH" == "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then + echo "Adding amd64 architecture support" dpkg --add-architecture amd64 + + # Update sources.list to include amd64 repositories + echo "Configuring sources.list for amd64 and arm64" + sed -i.bak '/^deb / s|http://ports.ubuntu.com/ubuntu-ports|[arch=arm64] http://ports.ubuntu.com/ubuntu-ports|' /etc/apt/sources.list + # shellcheck disable=SC2129 + echo "deb [arch=amd64] http://archive.ubuntu.com/ubuntu jammy main universe" >> /etc/apt/sources.list + echo "deb [arch=amd64] http://archive.ubuntu.com/ubuntu jammy-updates main universe" >> /etc/apt/sources.list + echo "deb [arch=amd64] http://archive.ubuntu.com/ubuntu jammy-security main universe" >> /etc/apt/sources.list fi -# uninstall unnecessary packages -apt-get remove -y \ - python3 -# install necessary libraries for asdf and language runtimes +echo "Running apt-get update" apt-get update -export DEBIAN_FRONTEND=noninteractive -apt-get -y dist-upgrade +apt-get upgrade -y + +# install necessary libraries for asdf and language runtimes +echo "Installing necessary packages" apt-get -y install --no-install-recommends htop vim curl git build-essential \ libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev libbz2-dev \ zlib1g-dev unixodbc unixodbc-dev libsecret-1-0 libsecret-1-dev libsqlite3-dev \ @@ -32,35 +30,25 @@ apt-get -y install --no-install-recommends htop vim curl git build-essential \ libreadline-dev libsqlite3-dev wget llvm libncurses5-dev libncursesw5-dev \ xz-utils tk-dev liblzma-dev netcat-traditional libyaml-dev uuid-runtime xxd unzip -# install aws stuff -# Download correct AWS CLI for arch -if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then - wget -O /tmp/awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip"; \ - else - wget -O /tmp/awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"; \ - fi - unzip /tmp/awscliv2.zip -d /tmp/aws-cli - /tmp/aws-cli/aws/install - rm /tmp/awscliv2.zip - rm -rf /tmp/aws-cli - # Download correct SAM CLI for arch +echo "Installing aws-sam cli" if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" = "aarch64" ]; then - wget -O /tmp/aws-sam-cli.zip "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-arm64.zip"; \ + wget -O /tmp/aws-sam-cli.zip --no-verbose "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-arm64.zip" else - wget -O /tmp/aws-sam-cli.zip "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-x86_64.zip"; \ + wget -O /tmp/aws-sam-cli.zip --no-verbose "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-x86_64.zip" fi - unzip /tmp/aws-sam-cli.zip -d /tmp/aws-sam-cli + unzip -q /tmp/aws-sam-cli.zip -d /tmp/aws-sam-cli /tmp/aws-sam-cli/install rm /tmp/aws-sam-cli.zip rm -rf /tmp/aws-sam-cli # Install ASDF -ASDF_VERSION=$(awk '!/^#/ && NF {print $1; exit}' /tmp/.tool-versions.asdf) +echo "Installing asdf" +ASDF_VERSION=$(awk '!/^#/ && NF {print $1; exit}' "${SCRIPTS_DIR}/${CONTAINER_NAME}/.tool-versions.asdf") if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then - wget -O /tmp/asdf.tar.gz "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-arm64.tar.gz"; \ + wget -O /tmp/asdf.tar.gz --no-verbose "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-arm64.tar.gz" else - wget -O /tmp/asdf.tar.gz "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-amd64.tar.gz"; \ + wget -O /tmp/asdf.tar.gz --no-verbose "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-amd64.tar.gz" fi tar -xzf /tmp/asdf.tar.gz -C /tmp mkdir -p /usr/bin diff --git a/src/base/.devcontainer/scripts/vscode_install.sh b/src/base/.devcontainer/scripts/vscode_install.sh index 0349116..2759bce 100755 --- a/src/base/.devcontainer/scripts/vscode_install.sh +++ b/src/base/.devcontainer/scripts/vscode_install.sh @@ -13,17 +13,10 @@ echo 'export GEM_HOME="$HOME/gems"' >> ~/.bashrc echo 'export PATH="$HOME/gems/bin:$PATH"' >> ~/.bashrc # Install ASDF plugins -asdf plugin add python -asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git asdf plugin add shellcheck https://github.com/luizm/asdf-shellcheck.git -asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git asdf plugin add direnv asdf plugin add actionlint asdf plugin add ruby https://github.com/asdf-vm/asdf-ruby.git -asdf plugin add java -asdf plugin add maven -asdf plugin add golang https://github.com/kennyp/asdf-golang.git -asdf plugin add golangci-lint https://github.com/hypnoglow/asdf-golangci-lint.git asdf plugin add terraform https://github.com/asdf-community/asdf-hashicorp.git asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git @@ -31,31 +24,6 @@ asdf plugin add trivy https://github.com/zufardhiyaulhaq/asdf-trivy.git cd /home/vscode asdf install -# Read Node.js versions from file and install -while IFS= read -r version; do - asdf install nodejs "$version" -done < /tmp/nodejs-versions.txt - -# Read Python versions from file and install -while IFS= read -r version; do - asdf install python "$version" -done < /tmp/python-versions.txt - -# Read Java versions from file and install -while IFS= read -r version; do - asdf install java "$version" -done < /tmp/java-versions.txt - -# Read Terraform versions from file and install -while IFS= read -r version; do - asdf install terraform "$version" -done < /tmp/terraform-versions.txt - -# Read Golang versions from file and install -while IFS= read -r version; do - asdf install golang "$version" -done < /tmp/golang-versions.txt - # setup gitsecrets git-secrets --register-aws --global git-secrets --add-provider --global -- cat /usr/share/secrets-scanner/nhsd-rules-deny.txt diff --git a/src/base/.trivyignore.yaml b/src/base/.trivyignore.yaml new file mode 100644 index 0000000..8697da6 --- /dev/null +++ b/src/base/.trivyignore.yaml @@ -0,0 +1 @@ +vulnerabilities: diff --git a/src/base/trivy.yaml b/src/base/trivy.yaml new file mode 100644 index 0000000..48343ee --- /dev/null +++ b/src/base/trivy.yaml @@ -0,0 +1 @@ +ignorefile: "src/base/.trivyignore_combined.yaml" diff --git a/src/common/.trivyignore.yaml b/src/common/.trivyignore.yaml new file mode 100644 index 0000000..618fed5 --- /dev/null +++ b/src/common/.trivyignore.yaml @@ -0,0 +1,304 @@ +vulnerabilities: + - id: CVE-2024-35870 + statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2024-53179 + statement: "kernel: smb: client: fix use-after-free of signing key" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2025-37849 + statement: "kernel: KVM: arm64: Tear down vGIC on failed vCPU creation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2025-37899 + statement: "kernel: ksmbd: fix use-after-free in session logoff" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2025-38118 + statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2026-26007 + statement: "cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves" + purls: + - "pkg:pypi/cryptography@46.0.3" + expired_at: 2026-08-12 + - id: CVE-2024-49761 + statement: "rexml: REXML ReDoS vulnerability" + purls: + - "pkg:gem/rexml@3.2.6" + expired_at: 2026-08-12 + - id: CVE-2025-68121 + statement: "During session resumption in crypto/tls, if the underlying Config has ..." + purls: + - "pkg:golang/stdlib@v1.16.15" + - "pkg:golang/stdlib@v1.23.4" + - "pkg:golang/stdlib@v1.24.4" + - "pkg:golang/stdlib@v1.24.9" + - "pkg:golang/stdlib@v1.25.5" + expired_at: 2026-08-12 + - id: CVE-2025-61726 + statement: "golang: net/url: Memory exhaustion in query parameter parsing in net/url" + purls: + - "pkg:golang/stdlib@v1.16.15" + - "pkg:golang/stdlib@v1.23.4" + - "pkg:golang/stdlib@v1.24.4" + - "pkg:golang/stdlib@v1.24.9" + - "pkg:golang/stdlib@v1.25.5" + expired_at: 2026-08-12 + - id: CVE-2025-61728 + statement: "golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip" + purls: + - "pkg:golang/stdlib@v1.16.15" + - "pkg:golang/stdlib@v1.23.4" + - "pkg:golang/stdlib@v1.24.4" + - "pkg:golang/stdlib@v1.24.9" + - "pkg:golang/stdlib@v1.25.5" + expired_at: 2026-08-12 + - id: CVE-2025-61730 + statement: "During the TLS 1.3 handshake if multiple messages are sent in records ..." + purls: + - "pkg:golang/stdlib@v1.16.15" + - "pkg:golang/stdlib@v1.23.4" + - "pkg:golang/stdlib@v1.24.4" + - "pkg:golang/stdlib@v1.24.9" + - "pkg:golang/stdlib@v1.25.5" + expired_at: 2026-08-12 + - id: CVE-2025-47907 + statement: "database/sql: Postgres Scan Race Condition" + purls: + - "pkg:golang/stdlib@v1.16.15" + - "pkg:golang/stdlib@v1.23.4" + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-08-12 + - id: CVE-2025-58183 + statement: "golang: archive/tar: Unbounded allocation when parsing GNU sparse map" + purls: + - "pkg:golang/stdlib@v1.16.15" + - "pkg:golang/stdlib@v1.23.4" + - "pkg:golang/stdlib@v1.24.4" + expired_at: 2026-08-12 + - id: CVE-2025-61729 + statement: "crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate" + purls: + - "pkg:golang/stdlib@v1.16.15" + - "pkg:golang/stdlib@v1.23.4" + - "pkg:golang/stdlib@v1.24.4" + - "pkg:golang/stdlib@v1.24.9" + expired_at: 2026-08-12 + - id: CVE-2023-24538 + statement: "golang: html/template: backticks not treated as string delimiters" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2023-24540 + statement: "golang: html/template: improper handling of JavaScript whitespace" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2024-24790 + statement: "golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2022-24675 + statement: "golang: encoding/pem: fix stack overflow in Decode" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2022-27664 + statement: "golang: net/http: handle server errors after sending GOAWAY" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2022-28131 + statement: "golang: encoding/xml: stack exhaustion in Decoder.Skip" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2022-28327 + statement: "golang: crypto/elliptic: panic caused by oversized scalar" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2022-2879 + statement: "golang: archive/tar: github.com/vbatts/tar-split: unbounded memory consumption when reading headers" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2022-2880 + statement: "golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2022-29804 + statement: "ELSA-2022-17957: ol8addon security update (IMPORTANT)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2022-30580 + statement: "golang: os/exec: Code injection in Cmd.Start" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2022-30630 + statement: "golang: io/fs: stack exhaustion in Glob" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2022-30631 + statement: "golang: compress/gzip: stack exhaustion in Reader.Read" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2022-30632 + statement: "golang: path/filepath: stack exhaustion in Glob" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2022-30633 + statement: "golang: encoding/xml: stack exhaustion in Unmarshal" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2022-30634 + statement: "ELSA-2022-17957: ol8addon security update (IMPORTANT)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2022-30635 + statement: "golang: encoding/gob: stack exhaustion in Decoder.Decode" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2022-32189 + statement: "golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2022-41715 + statement: "golang: regexp/syntax: limit memory used by parsing regexps" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2022-41716 + statement: "Due to unsanitized NUL values, attackers may be able to maliciously se ..." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2022-41720 + statement: "golang: os, net/http: avoid escapes from os.DirFS and http.Dir on Windows" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2022-41722 + statement: "golang: path/filepath: path-filepath filepath.Clean path traversal" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2022-41723 + statement: "golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2022-41724 + statement: "golang: crypto/tls: large handshake records may cause panics" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2022-41725 + statement: "golang: net/http, mime/multipart: denial of service from excessive resource consumption" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2023-24534 + statement: "golang: net/http, net/textproto: denial of service from excessive memory allocation" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2023-24536 + statement: "golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2023-24537 + statement: "golang: go/parser: Infinite loop in parsing" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2023-24539 + statement: "golang: html/template: improper sanitization of CSS values" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2023-29400 + statement: "golang: html/template: improper handling of empty HTML attributes" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2023-29403 + statement: "golang: runtime: unexpected behavior of setuid/setgid binaries" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2023-39325 + statement: "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2023-45283 + statement: "The filepath package does not recognize paths with a \\??\\ prefix as sp ..." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2023-45287 + statement: "golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges." + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2023-45288 + statement: "golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2024-34156 + statement: "encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion" + purls: + - "pkg:golang/stdlib@v1.16.15" + expired_at: 2026-08-12 + - id: CVE-2024-25621 + statement: "github.com/containerd/containerd: containerd local privilege escalation" + purls: + - "pkg:golang/github.com/containerd/containerd/v2@v2.1.4" + expired_at: 2026-08-12 + - id: CVE-2024-35870 + statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2024-53179 + statement: "kernel: smb: client: fix use-after-free of signing key" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2025-37849 + statement: "kernel: KVM: arm64: Tear down vGIC on failed vCPU creation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2025-37899 + statement: "kernel: ksmbd: fix use-after-free in session logoff" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2025-38118 + statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation" + purls: + - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-12 diff --git a/src/common/Dockerfile b/src/common/Dockerfile new file mode 100644 index 0000000..7b2cc33 --- /dev/null +++ b/src/common/Dockerfile @@ -0,0 +1,24 @@ +ARG BASE_VERSION=latest + +FROM ghcr.io/nhsdigital/eps-devcontainers/base:${BASE_VERSION} + +ARG CONTAINER_NAME +ENV CONTAINER_NAME=${CONTAINER_NAME} + +LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers +LABEL org.opencontainers.image.description="EPS ${CONTAINER_NAME} devcontainer" +LABEL org.opencontainers.image.licenses=MIT + +USER root +COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME} +WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} +RUN ./root_install.sh + +USER vscode + +WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} +COPY .tool-versions /tmp/.tool-versions +RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions + +RUN ./vscode_install.sh +WORKDIR /home/vscode diff --git a/src/languages/node_24_python_3_12/.devcontainer/.tool-versions b/src/languages/node_24_python_3_12/.devcontainer/.tool-versions new file mode 100644 index 0000000..a27ded2 --- /dev/null +++ b/src/languages/node_24_python_3_12/.devcontainer/.tool-versions @@ -0,0 +1,3 @@ +nodejs 24.13.0 +python 3.12.12 +poetry 2.3.2 diff --git a/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json new file mode 100644 index 0000000..fe1b068 --- /dev/null +++ b/src/languages/node_24_python_3_12/.devcontainer/devcontainer.json @@ -0,0 +1,20 @@ +// For format details, see https://aka.ms/devcontainer.json. For config options, see the +// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu +{ + "name": "EPS Devcontainer node_24 python_3.13", + // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile + "build": { + "dockerfile": "../../../common/Dockerfile", + "args": { + "BASE_VERSION": "${localEnv:BASE_VERSION}", + "CONTAINER_NAME": "eps_devcontainer_node_24_python_3_13" + }, + "context": "." + }, + "runArgs": [ + "--network=host" + ], + "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, + "features": {} + } + diff --git a/src/languages/node_24_python_3_12/.devcontainer/scripts/root_install.sh b/src/languages/node_24_python_3_12/.devcontainer/scripts/root_install.sh new file mode 100755 index 0000000..0510f2c --- /dev/null +++ b/src/languages/node_24_python_3_12/.devcontainer/scripts/root_install.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +set -e diff --git a/src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh new file mode 100755 index 0000000..e16905e --- /dev/null +++ b/src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash +set -e + +asdf plugin add python +asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git +asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git + +asdf install python +asdf install diff --git a/src/languages/node_24_python_3_12/.trivyignore.yaml b/src/languages/node_24_python_3_12/.trivyignore.yaml new file mode 100644 index 0000000..a8010cf --- /dev/null +++ b/src/languages/node_24_python_3_12/.trivyignore.yaml @@ -0,0 +1,27 @@ +vulnerabilities: + - id: CVE-2026-25547 + statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion" + purls: + - "pkg:npm/%40isaacs/brace-expansion@5.0.0" + expired_at: 2026-08-12 + - id: CVE-2025-64756 + statement: "glob: glob: Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@10.4.5" + - "pkg:npm/glob@11.0.3" + expired_at: 2026-08-12 + - id: CVE-2026-23745 + statement: "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-12 + - id: CVE-2026-23950 + statement: "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-12 + - id: CVE-2026-24842 + statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-12 diff --git a/src/languages/node_24_python_3_12/trivy.yaml b/src/languages/node_24_python_3_12/trivy.yaml new file mode 100644 index 0000000..48cfe23 --- /dev/null +++ b/src/languages/node_24_python_3_12/trivy.yaml @@ -0,0 +1 @@ +ignorefile: "src/languages/node_24_python_3_12/.trivyignore_combined.yaml" diff --git a/src/languages/node_24_python_3_13/.devcontainer/.tool-versions b/src/languages/node_24_python_3_13/.devcontainer/.tool-versions new file mode 100644 index 0000000..19c9a1a --- /dev/null +++ b/src/languages/node_24_python_3_13/.devcontainer/.tool-versions @@ -0,0 +1,3 @@ +nodejs 24.13.0 +python 3.13.12 +poetry 2.3.2 diff --git a/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json new file mode 100644 index 0000000..fe1b068 --- /dev/null +++ b/src/languages/node_24_python_3_13/.devcontainer/devcontainer.json @@ -0,0 +1,20 @@ +// For format details, see https://aka.ms/devcontainer.json. For config options, see the +// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu +{ + "name": "EPS Devcontainer node_24 python_3.13", + // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile + "build": { + "dockerfile": "../../../common/Dockerfile", + "args": { + "BASE_VERSION": "${localEnv:BASE_VERSION}", + "CONTAINER_NAME": "eps_devcontainer_node_24_python_3_13" + }, + "context": "." + }, + "runArgs": [ + "--network=host" + ], + "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, + "features": {} + } + diff --git a/src/languages/node_24_python_3_13/.devcontainer/scripts/root_install.sh b/src/languages/node_24_python_3_13/.devcontainer/scripts/root_install.sh new file mode 100755 index 0000000..0510f2c --- /dev/null +++ b/src/languages/node_24_python_3_13/.devcontainer/scripts/root_install.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +set -e diff --git a/src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh new file mode 100755 index 0000000..e16905e --- /dev/null +++ b/src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash +set -e + +asdf plugin add python +asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git +asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git + +asdf install python +asdf install diff --git a/src/languages/node_24_python_3_13/.trivyignore.yaml b/src/languages/node_24_python_3_13/.trivyignore.yaml new file mode 100644 index 0000000..a8010cf --- /dev/null +++ b/src/languages/node_24_python_3_13/.trivyignore.yaml @@ -0,0 +1,27 @@ +vulnerabilities: + - id: CVE-2026-25547 + statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion" + purls: + - "pkg:npm/%40isaacs/brace-expansion@5.0.0" + expired_at: 2026-08-12 + - id: CVE-2025-64756 + statement: "glob: glob: Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@10.4.5" + - "pkg:npm/glob@11.0.3" + expired_at: 2026-08-12 + - id: CVE-2026-23745 + statement: "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-12 + - id: CVE-2026-23950 + statement: "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-12 + - id: CVE-2026-24842 + statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-12 diff --git a/src/languages/node_24_python_3_13/trivy.yaml b/src/languages/node_24_python_3_13/trivy.yaml new file mode 100644 index 0000000..6af84d8 --- /dev/null +++ b/src/languages/node_24_python_3_13/trivy.yaml @@ -0,0 +1 @@ +ignorefile: "src/languages/node_24_python_3_13/.trivyignore_combined.yaml" diff --git a/src/languages/node_24_python_3_14/.devcontainer/.tool-versions b/src/languages/node_24_python_3_14/.devcontainer/.tool-versions new file mode 100644 index 0000000..ed99ea2 --- /dev/null +++ b/src/languages/node_24_python_3_14/.devcontainer/.tool-versions @@ -0,0 +1,3 @@ +nodejs 24.13.0 +python 3.14.3 +poetry 2.3.2 diff --git a/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json b/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json new file mode 100644 index 0000000..afbfe61 --- /dev/null +++ b/src/languages/node_24_python_3_14/.devcontainer/devcontainer.json @@ -0,0 +1,20 @@ +// For format details, see https://aka.ms/devcontainer.json. For config options, see the +// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu +{ + "name": "EPS Devcontainer node_24 python_3.14", + // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile + "build": { + "dockerfile": "../../../common/Dockerfile", + "args": { + "BASE_VERSION": "${localEnv:BASE_VERSION}", + "CONTAINER_NAME": "eps_devcontainer_node_24_python_3_14" + }, + "context": "." + }, + "runArgs": [ + "--network=host" + ], + "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, + "features": {} + } + diff --git a/src/languages/node_24_python_3_14/.devcontainer/scripts/root_install.sh b/src/languages/node_24_python_3_14/.devcontainer/scripts/root_install.sh new file mode 100755 index 0000000..0510f2c --- /dev/null +++ b/src/languages/node_24_python_3_14/.devcontainer/scripts/root_install.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +set -e diff --git a/src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh b/src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh new file mode 100755 index 0000000..e16905e --- /dev/null +++ b/src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash +set -e + +asdf plugin add python +asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git +asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git + +asdf install python +asdf install diff --git a/src/languages/node_24_python_3_14/.trivyignore.yaml b/src/languages/node_24_python_3_14/.trivyignore.yaml new file mode 100644 index 0000000..57d92bd --- /dev/null +++ b/src/languages/node_24_python_3_14/.trivyignore.yaml @@ -0,0 +1,42 @@ +vulnerabilities: + - id: CVE-2026-25547 + statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion" + purls: + - "pkg:npm/%40isaacs/brace-expansion@5.0.0" + expired_at: 2026-08-12 + - id: CVE-2026-24842 + statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@7.5.4" + expired_at: 2026-08-12 + - id: CVE-2026-23949 + statement: "jaraco.context: jaraco.context: Path traversal via malicious tar archives" + purls: + - "pkg:pypi/jaraco.context@5.3.0" + expired_at: 2026-08-12 + - id: CVE-2026-24049 + statement: "wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking" + purls: + - "pkg:pypi/wheel@0.45.1" + expired_at: 2026-08-12 + - id: CVE-2025-64756 + statement: "glob: glob: Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@10.4.5" + - "pkg:npm/glob@11.0.3" + expired_at: 2026-08-13 + - id: CVE-2026-23745 + statement: "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-13 + - id: CVE-2026-23950 + statement: "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-13 + - id: CVE-2026-24842 + statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-13 diff --git a/src/languages/node_24_python_3_14/trivy.yaml b/src/languages/node_24_python_3_14/trivy.yaml new file mode 100644 index 0000000..e786be4 --- /dev/null +++ b/src/languages/node_24_python_3_14/trivy.yaml @@ -0,0 +1 @@ +ignorefile: "src/languages/node_24_python_3_14/.trivyignore_combined.yaml" diff --git a/src/languages/python_3_10/.devcontainer/.tool-versions b/src/languages/python_3_10/.devcontainer/.tool-versions new file mode 100644 index 0000000..deac4f1 --- /dev/null +++ b/src/languages/python_3_10/.devcontainer/.tool-versions @@ -0,0 +1,2 @@ +python 3.10.12 +poetry 2.1.3 diff --git a/src/languages/python_3_10/.devcontainer/devcontainer.json b/src/languages/python_3_10/.devcontainer/devcontainer.json new file mode 100644 index 0000000..fe1b068 --- /dev/null +++ b/src/languages/python_3_10/.devcontainer/devcontainer.json @@ -0,0 +1,20 @@ +// For format details, see https://aka.ms/devcontainer.json. For config options, see the +// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu +{ + "name": "EPS Devcontainer node_24 python_3.13", + // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile + "build": { + "dockerfile": "../../../common/Dockerfile", + "args": { + "BASE_VERSION": "${localEnv:BASE_VERSION}", + "CONTAINER_NAME": "eps_devcontainer_node_24_python_3_13" + }, + "context": "." + }, + "runArgs": [ + "--network=host" + ], + "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, + "features": {} + } + diff --git a/src/languages/python_3_10/.devcontainer/scripts/root_install.sh b/src/languages/python_3_10/.devcontainer/scripts/root_install.sh new file mode 100755 index 0000000..0510f2c --- /dev/null +++ b/src/languages/python_3_10/.devcontainer/scripts/root_install.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +set -e diff --git a/src/languages/python_3_10/.devcontainer/scripts/vscode_install.sh b/src/languages/python_3_10/.devcontainer/scripts/vscode_install.sh new file mode 100755 index 0000000..f13cedf --- /dev/null +++ b/src/languages/python_3_10/.devcontainer/scripts/vscode_install.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash +set -e + +asdf plugin add python +asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git + +asdf install python +asdf install diff --git a/src/languages/python_3_10/.trivyignore.yaml b/src/languages/python_3_10/.trivyignore.yaml new file mode 100644 index 0000000..dfaba04 --- /dev/null +++ b/src/languages/python_3_10/.trivyignore.yaml @@ -0,0 +1,16 @@ +vulnerabilities: + - id: CVE-2022-40897 + statement: "pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-08-12 + - id: CVE-2024-6345 + statement: "pypa/setuptools: Remote code execution via download functions in the package_index module in pypa/setuptools" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-08-12 + - id: CVE-2025-47273 + statement: "setuptools: Path Traversal Vulnerability in setuptools PackageIndex" + purls: + - "pkg:pypi/setuptools@65.5.0" + expired_at: 2026-08-12 diff --git a/src/languages/python_3_10/trivy.yaml b/src/languages/python_3_10/trivy.yaml new file mode 100644 index 0000000..fe0d67f --- /dev/null +++ b/src/languages/python_3_10/trivy.yaml @@ -0,0 +1 @@ +ignorefile: "src/languages/python_3_10/.trivyignore_combined.yaml" diff --git a/src/projects/fhir_facade_api/.devcontainer/.tool-versions b/src/projects/fhir_facade_api/.devcontainer/.tool-versions new file mode 100644 index 0000000..af19266 --- /dev/null +++ b/src/projects/fhir_facade_api/.devcontainer/.tool-versions @@ -0,0 +1 @@ +java openjdk-20 diff --git a/src/projects/fhir_facade_api/.devcontainer/Dockerfile b/src/projects/fhir_facade_api/.devcontainer/Dockerfile new file mode 100644 index 0000000..6050632 --- /dev/null +++ b/src/projects/fhir_facade_api/.devcontainer/Dockerfile @@ -0,0 +1,24 @@ +ARG BASE_VERSION=latest + +FROM ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_13:${BASE_VERSION} + +LABEL org.opencontainers.image.source=https://github.com/NHSDigital/eps-devcontainers +LABEL org.opencontainers.image.description="EPS fhir facade devcontainer" +LABEL org.opencontainers.image.licenses=MIT + +USER root +COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME} +WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} +RUN ./root_install.sh + + +USER vscode + +USER vscode + +WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME} +COPY .tool-versions /tmp/.tool-versions +RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions + +RUN ./vscode_install.sh +WORKDIR /home/vscode diff --git a/src/projects/fhir_facade_api/.devcontainer/devcontainer.json b/src/projects/fhir_facade_api/.devcontainer/devcontainer.json new file mode 100644 index 0000000..da3a820 --- /dev/null +++ b/src/projects/fhir_facade_api/.devcontainer/devcontainer.json @@ -0,0 +1,20 @@ +// For format details, see https://aka.ms/devcontainer.json. For config options, see the +// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu +{ + "name": "EPS Devcontainer node_24 python_3.13", + // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile + "build": { + "dockerfile": "Dockerfile", + "args": { + "BASE_VERSION": "${localEnv:BASE_VERSION}", + "CONTAINER_NAME": "fhir_facade_api" + }, + "context": "." + }, + "runArgs": [ + "--network=host" + ], + "remoteEnv": { "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" }, + "features": {} + } + diff --git a/src/projects/fhir_facade_api/.devcontainer/scripts/root_install.sh b/src/projects/fhir_facade_api/.devcontainer/scripts/root_install.sh new file mode 100755 index 0000000..0733658 --- /dev/null +++ b/src/projects/fhir_facade_api/.devcontainer/scripts/root_install.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +set -e + +# install non snap version of firefox +add-apt-repository -y ppa:mozillateam/ppa +cat < /etc/apt/preferences.d/mozilla-firefox +Package: * +Pin: release o=LP-PPA-mozillateam +Pin-Priority: 1001 +EOF + +apt-get -y install firefox diff --git a/src/projects/fhir_facade_api/.devcontainer/scripts/vscode_install.sh b/src/projects/fhir_facade_api/.devcontainer/scripts/vscode_install.sh new file mode 100755 index 0000000..dd0f582 --- /dev/null +++ b/src/projects/fhir_facade_api/.devcontainer/scripts/vscode_install.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash +set -e + +# install java using asdf +asdf plugin add java +asdf install diff --git a/src/projects/fhir_facade_api/.trivyignore.yaml b/src/projects/fhir_facade_api/.trivyignore.yaml new file mode 100644 index 0000000..639428a --- /dev/null +++ b/src/projects/fhir_facade_api/.trivyignore.yaml @@ -0,0 +1,67 @@ +vulnerabilities: + - id: CVE-2022-25235 + statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2022-25236 + statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2022-26485 + statement: "Mozilla: Use-after-free in XSLT parameter processing" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2022-26486 + statement: "Mozilla: Use-after-free in WebGPU IPC Framework" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04" + expired_at: 2026-08-12 + - id: CVE-2026-25547 + statement: "brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion" + purls: + - "pkg:npm/%40isaacs/brace-expansion@5.0.0" + expired_at: 2026-08-12 + - id: CVE-2025-64756 + statement: "glob: glob: Command Injection Vulnerability via Malicious Filenames" + purls: + - "pkg:npm/glob@10.4.5" + - "pkg:npm/glob@11.0.3" + expired_at: 2026-08-12 + - id: CVE-2026-23745 + statement: "node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-12 + - id: CVE-2026-23950 + statement: "node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-12 + - id: CVE-2026-24842 + statement: "node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check" + purls: + - "pkg:npm/tar@7.5.1" + expired_at: 2026-08-12 + - id: CVE-2022-25235 + statement: "expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-13 + - id: CVE-2022-25236 + statement: "expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-13 + - id: CVE-2022-26485 + statement: "Mozilla: Use-after-free in XSLT parameter processing" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-13 + - id: CVE-2022-26486 + statement: "Mozilla: Use-after-free in WebGPU IPC Framework" + purls: + - "pkg:deb/ubuntu/firefox@147.0.3%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=arm64&distro=ubuntu-22.04" + expired_at: 2026-08-13 diff --git a/src/projects/fhir_facade_api/trivy.yaml b/src/projects/fhir_facade_api/trivy.yaml new file mode 100644 index 0000000..1d8a75c --- /dev/null +++ b/src/projects/fhir_facade_api/trivy.yaml @@ -0,0 +1 @@ +ignorefile: "src/projects/fhir_facade_api/.trivyignore_combined.yaml" diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 0000000..eb24337 --- /dev/null +++ b/trivy.yaml @@ -0,0 +1 @@ +ignorefile: ".trivyignore.yaml"